YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We...

®

IBM Software Group

© IBM Corporation

WEB APPLICATION SECURITYYOUR LAST LINE OF DEFENSE

Anthony LimMBA CISSP FCITIL

Director, Asia PacificSecurity

Rational Software

Hong Kong, 03-12-08

IBM Software Group

IBM Internal Use Only

IBM Software Group


The Security Journey Continues

• New and More …• Applications• Services• Systems-> Vulnerabilities-> Hacking methods-> Viruses, Worms, RATS, Bots …

(Remote Access TROJANS = Spyware)

-> GOVERNANCE & COMPLIANCE!

NEW AREAS

OF IT SECURITY

WEAKNESS

ARISE ALL THE TIME

IBM Software Group


Regulation & Compliance SARBANES-OXLEY, HIPAA, BASEL II …

� It is part of doing business

� Business Continuity

� An environment of TRUST� For doing business

� Ensure Orderliness in Internet world

� Promote Economic growth

� More than justConfidentiality, Integrityand Availability

� Privacy

3rd Party Customer Data

People never learn –there will be another Edison Chen case – that’s why I still have a job today

IBM Software Group


IBM Software Group


Sheer Volume of Applications Keeps You From Getting Ahead of the Problems

Difficulty Managing 3rd Party VendorsDifficulty Managing 3rd Party Vendors555

Not Monitoring Deployed ApplicationsNot Monitoring Deployed Applications444

Catching Problems Late in the CycleCatching Problems Late in the Cycle333

Lack of Control and VisibilityLack of Control and Visibility222

Security Team Has Become a BottleneckSecurity Team Has Become a Bottleneck111

Have to do more with less, still; Risk is high, accountability

is prevalent

IBM Software Group


It Gets Worse• WAP, GPRS, EDGE, 3G• 802.1x• Broadband

A hacker no longer needs a big machine

IBM Software Group


Software Application Development Pressures

4 most common laments of the development executive

I’m being asked to:

• Deliver product faster (a lot faster!)

• Increase product innovation

• Improve quality

• Reduce cost

IBM Software Group


WE ARE HIGHLY DEPENDENT ON WEB SERVICES TODAY

� COMMUNICATIONS� E-Mail, Instant Messaging, Information Transfer

� TRANSACTIONS / ONLINE SERVICES� Internet Banking, e-shopping, Stock trading, B2B, C2C, E-Bay, E*Trade, Amazon, Travel booking, etc

� WORK / BUSINESS� Internet, Intranet, Extranet� ERP, SCM, CRM, SAP, B2BM, B2C, Company international information services

� PLAY / SOCIAL NETWORKING / RECREATION� YouTube, Facebook, Second Life, Friendster, ITunes, MySpace, BLOGS! …� Organization Membership Portal

� EDUCATION / RESEARCH

� ONLINE STORAGE SERVICES� …..

IBM Software Group


We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web

server

We Use Network Vulnerability Scanners

Neglect the security of the software on the network/web

server

The Myth: “Our Site Is Safe”

We Have Firewalls and IPS in Place

Port 80 & 443 are open for the right reasons

We Have Firewalls and IPS in Place

Port 80 & 443 are open for the right reasons

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Audit It Once a Quarter with Pen Testers

Applications are constantly changing

We Use SSL Encryption

Only protects data between site and user not the web

application itself

We Use SSL Encryption

Only protects data between site and user not the web

application itself

IBM Software Group


SO WHY ARE THESE HAPPENING?

IBM Software Group


LexisNexis

Data Breach

-Washington Post

Feb 17, 2008

IndiaTimes.comMalware

—InformationWeek

Feb 17,2008

Hacker breaks into

Ecuador’s presidential

website

— Thaindian, Feb 11, 2008

Hacking Stage 6— Wikipedia, Feb 9 2007

Hacker steals Davidson

Cos client data

- Falls Tribune, Feb 4 2008

RIAA wiped off the Net— TheRegister, Jan 20 2008

Chinese hacker

steals 18M identities

- HackBase.com, Feb 10,2008

Mac blogs defaced by

XSS

• The Register, Feb 17, 2008

U.S. Embassy Web Site In Manila, Defaced- AllHeadlineNews, Mar 27, 2008

Greek Ministry websites attacked— eKathimerini, Jan 31,2008Drive-by Pharming in

the Wild

— Symantec, Jan 21 2008Italian Bank hit by

XSS fraudsters— Netcraft, Jan 8 2008

The Alarming Reality

Two Indonesian

government web sites

defaced

— CNET Asia, Mar 29, 2008

IBM Software Group


IBM Software Group


Real Example: Online Travel Reservation Portal

Change the reserID to 2001200

IBM Software Group


Real Example : Parameter TamperingReading another user’s transaction – insufficient authorization

Another customer’s transaction slip is revealed, including the email address

IBM Software Group


Parameter Tampering Reading another user’s invo ice

The same customer invoice that reveals the address and contact number

IBM Software Group


Top Hack Attacks Today Target Web Services

IBM Software Group


Web Application Hacks are a Business Issue

Misdirect customers to bogus site

Read/write access to customer databasesUnauthorized Site/Data AccessForceful Browsing/SQL Injection

Alter distributions and transfer accountsFraud, Data TheftParameter Tampering

Access to non-public personal information, fraud, etc.

Access O/S and ApplicationStealth Commanding

Larceny, theft, customer mistrustIdentity TheftCross Site scripting

Unauthorized access, privacy liability, site compromised

Admin AccessDebug options

Illegal transactionsSite AlterationHidden fields

Larceny, theftSession HijackingCookie poisoning

Site Unavailable; Customers GoneDenial of Service (DoS)Buffer overflow

Potential Business ImpactNegative ImpactApplication Threat

IBM Software Group


The Fact: Attacks targetted at a new area

Sources: Gartner, IDC, Watchfire

Network Server

WebApplications

% of Attacks % of Dollars

75%

10%

25%

90%

Security Spending

& infrastructure

& services

In an organization, IT Security people and developers are poles apart

IBM Software Group


HACKING IS NOT HARD OR SPECIAL TODAY!

IBM Software Group


Web Attack – How and Why

<?/’--|@1=1scr<…

IBM Software Group


Why Do Application Security Problems Exist

IBM Software Group


Existing Solutions Don’t Address App Security

• IT Security Solutions are usually for network and i nfrastructure• Firewalls and IPS’s don’t block application attacks• Port 80, 8080 and 443 are open• Network scanners won’t find application vulnerabilities.

• Nessus, ISS, Qualys, Nmap, etc.

• IT Security professionals are typically from the ne twork /infrastructure area, and usually have little experience in softwar e application development

• Developers are usually not trained in or mandated to security• 64% of developers are not confident in their abilit y to write secure applications – Microsoft Developer Research

• Developers do not care about security, they think i ts someone else’s job• (even though they are the root cause) (often developers also don’t have security experience)

• Security teams are focused on other issues (network , desktops, etc) and overwhelmed

• They don’t want to have to deal with another new issue that they don’t understand

• No defined policy, accountability or process to dea l with the issue• not many people understand application attacks today

IBM Software Group


Rational Software Quality Management Solutions

Developer Test Functional Test

Automated Manual

Rational RequisitePro Rational ClearQuest Rational ClearQuest

Defects

Project Dashboards Detailed Test Results Quality Reports

Performance Test

SOFTWARE QUALITY SOLUTIONS

Test and Change Management

Test Automation

Quality Metrics

DE

VE

LOP

ME

NT

OP

ER

AT

OIN

S

BUSINESS

Rational ClearQuest

Requirements Test Change

Rational PurifyPlus

Rational Test RealTime

Rational Functional Tester Plus

Rational Functional Tester

Rational Robot

Rational Manual Tester

Rational Performance Tester

Security and Compliance Test

AppScan

WebXM

IBM Software Group


Identify Vulnerabilities

IBM Software Group


Reporting

IBM Software Group


Actionable Fix Recommendations MOST IMPORTANT

IBM Software Group


AppScan with QA Defect Logger for ClearQuest

IBM Software Group


AppScan Enterprise / IBM Rational ClearQuest Integr ation

IBM Software Group


Trusted by >2000 Companies Worldwide, x00’s in Asia

TopTop

TechnologyTechnology

VendorsVendors

TopTop

Pharma / ClinicalPharma / Clinical

CompaniesCompanies

Multiple LargeMultiple Large

GovernmentGovernment

AgenciesAgencies

Top Largest U.S. Top Largest U.S.

Retail BanksRetail Banks

Veteran’s Affairs

NavyArmy

Air Force Marines

Large, Complex Web Sites Extensive Customer Data

Highly Regulated High User Volume

IBM Software Group


Used by Leading Security Industry Developers and Consultants

Consultants and ResearchersConsultants and ResearchersTechnology CompaniesTechnology Companies

More …

EDS

IBM Software Group


Building security & compliance into the SDLC

Build

Developers

SDLCSDLC

Developers

Developers

Coding QA Security Production

Enable Security to effectively drive remediation into development

Provides Developers and Testers with expertise on detection and

remediation ability

Ensure vulnerabilities are addressed before applications are put into production

IBM Software Group


Conclusion: Application QA for Security

� The Application Must Defend Itself�You cannot depend on firewall or infrastructure security to do so

� Bridging the GAP between Software development and Information Security

� QA Testing for Security must now be integrated and strat egic

� We need to move security QA testing back to earlier in the SDLC�at production or pre-production stage is late and expensive to fix

�Developers need to learn to write code defensively and securely

IBM Software Group


SDLC QA - YOUR LAST LINE OF DEFENSE

YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We...

Documents

Transcript of YOUR LAST LINE OF DEFENSE - IBM · YOUR LAST LINE OF DEFENSE Anthony Lim MBA CISSP FCITIL ... We...